Microsoft Fixes 23 Software Security Flaws

Microsoft on Tuesday issued eight security updates to plug at least 23 security holes in its Windows operating systems and other software. The patches are available through Windows Update or via Automatic Updates.

One patch fixes six flaws in Internet Explorer 6 & 7 (the flaws are not present in IE8), including the carpetbombing issue. Microsoft addressed that vulnerability with this IE update, as well as with a stand-alone fix for Windows XP and newer Windows versions. Microsoft has rated this update critical, meaning attackers could exploit these IE flaws merely by convincing a user to visit a hacked or booby-trapped Web site.

Redmond also issued updates to fix at least two zero-day threats, vulnerabilities that hackers have been exploiting in targeted attacks to break into Windows systems. These updates include a fix for an Microsoft Excel vulnerability, and an update for a hole in most supported versions of Wordpad/Microsoft Office that hackers have been exploiting since December.

One patch addresses a particularly insidious vulnerability that Microsoft assigns a lesser "important" rating, but one which security experts say could become a huge threat for Web hosting facilities that fail to apply this update.

The issue has to do with a vulnerability in Windows that is susceptible to a technique known as token kidnapping (PDF research paper). In a way-oversimplified explanation, one way to prevent programs from being able to make key changes to the underlying operating system is to run the program in a mode that simply does not have all-powerful, system-level rights to modify important settings on the host system.

Least-privilege approaches are most useful for applications that face known-hostile environments on a pretty much constant basis, such as Web browsers and Web servers. This vulnerability, however, could allow an attacker to bypass that protection, and gain full control over an affected system.

Eric Schultze, chief technology officer for Shavlik Technologies, said this flaw is especially dangerous for systems running IIS Web servers and SQL database servers. In the context of a shared Web hosting environment, where multiple customers will host their Web sites on the same Web servers, a malicious customer or hacked customer account could be used to upload a file to the server that gives the attacker total control over all of the sites on that server.

Schultze called this fix the most ambitious patch Microsoft has ever produced, noting that Microsoft originally said this was too complex of an issue to fix.

"Microsoft expended a great deal of effort in correcting this issue - even pulling developers off of Windows 7 to assist with this patch," Schultze said. Microsoft has even more detail on this process here.

Security researchers already have released instructions describing how to attack roughly half of all of the vulnerabilities Microsoft addressed in this patch release. If you run a Windows machine, try not to let too much time elapse before you apply these security updates. Most of the updates will not take effect until the patched system has been restarted.

As always, please sound off in the comments below if any of these updates appear to introduce problems for your system. Likewise, I will keep an eye out for any reports of issues with this large bundle of updates. A listing of each vulnerability addressed by today's updates can be found here.

I am always awakened at 3:00 am on Update Tuesday (actually Wednesday morning early), by my PC's musical signal that it is logging off and restarting as a result of the Automatic Update feature. I then turn over and go back to sleep, comfortable and cozy knowing I am relatively safe for another month.

I had no problems downloading and applying the updates for XP today. Interestingly on one PC with the English version the NET Framework 3.5 update was 248 MB, while on another machine the Italian-language version was 271 MB.

Is it necessary to retain all of the .msp files in the Windows/Installer directory? They are large and numerous!

SOOoo well done, Brian K. I rely on your keeping us informed.
I have an IMac G5 and have been using Firefox 3.0.8. Last Friday My Verizon Yahoo email went completely out of calibration. I cobbled together Opera & a new email on Netscape to access with great slowness and difficulty my previous email so I would not be complete out of touch with the world outside my room. To get to the point, the nice people at Verizon-Yahoo suggested that I not use Firefox 3.0.8 at all: suggestion of software incompatibility.
Maybe this was at the root of the Darwin kernel panic that I mentioned in your Security Fix Live session of 30 Jan 2009.
I SEEM to be OK for now. Any suggestions welcome.

Reading blogs on content like this explains why there are so many updates and new versions of programs like IE. I have to give credit to MSFT, I also heard they pulled developers from other areas like Win7 development in order to tackle this issue on mostly outstanding products (in other words not tied completely to revenue but instead to service/reputation). This link http://www.justaskgemalto.com/en/working has good tips on security at work.